Merge pull request #373 from phusion/next

Update README.md regarding ignored env vars.

Changelog.md

@@ -1,3 +1,17 @@
+## 0.9.19 (release date: 2016-07-08)
+
+ * Upgraded to Ubuntu 16.04. Thanks to Pierre Jacomet for submitting this patch.
+ * During shutdown, repeatedly tell Runit to shutdown services in order to workaround a potential race condition in Runit itself. Closes GH-315. Thanks to Chris Kite for submitting this patch.
+ * Fixed a problem in PAM which may cause chpasswd and related tools to fail. This is caused by Docker bug 6345 which is already closed, but for some reason the problem still persists. Closes GH-181. Thanks to Michael Zedeler for submitting the patch.
+ * Fixed the syslog-ng logrotate script to correctly restart the syslog-to-Docker-logs forwarder. Closes GH-292. Thanks to Ernestas Lukoševičius for submitting the patch.
+
+
+## 0.9.18 (release date: 2015-12-08)
+
+ * The latest OpenSSL updates have been pulled in. This fixes [CVE-2015-3193](https://www.openssl.org/news/secadv/20151203.txt) and a few others. Upgrading is strongly recommended.
+ * Fixes disabling all services. Thanks to Enderson Maia.
+
+
 ## 0.9.17 (release date: 2015-07-15)
 
  * The latest OpenSSL updates have been pulled in. This fixes [CVE-2015-1793](http://openssl.org/news/secadv_20150709.txt). Upgrading is strongly recommended.

Makefile

@@ -1,5 +1,5 @@
 NAME = phusion/baseimage
-VERSION = 0.9.17
+VERSION = 0.9.19
 
 .PHONY: all build test tag_latest release ssh
 
@@ -12,7 +12,7 @@ test:
 	env NAME=$(NAME) VERSION=$(VERSION) ./test/runner.sh
 
 tag_latest:
-	docker tag -f $(NAME):$(VERSION) $(NAME):latest
+	docker tag $(NAME):$(VERSION) $(NAME):latest
 
 release: test tag_latest
 	@if ! docker images $(NAME) | awk '{ print $$2 }' | grep -q -F $(VERSION); then echo "$(NAME) version $(VERSION) is not yet built. Please run 'make build'"; false; fi

README.md

@@ -1,6 +1,8 @@
 # A minimal Ubuntu base image modified for Docker-friendliness
 
-[![](https://badge.imagelayers.io/phusion/baseimage:latest.svg)](https://imagelayers.io/?images=phusion/baseimage:latest 'Get your own badge on imagelayers.io')
+[![](https://badge.imagelayers.io/phusion/baseimage:0.9.17.svg)](https://imagelayers.io/?images=phusion/baseimage:latest 'Get your own badge on imagelayers.io')
+
+_Baseimage-docker only consumes 6 MB RAM and is much powerful than Busybox or Alpine. See why below._
 
 Baseimage-docker is a special [Docker](https://www.docker.com) image that is configured for correct use within Docker containers. It is Ubuntu, plus:
 
@@ -83,10 +85,10 @@ You can configure the stock `ubuntu` image yourself from your Dockerfile, so why
 
 | Component        | Why is it included? / Remarks |
 | ---------------- | ------------------- |
-| Ubuntu 14.04 LTS | The base system. |
+| Ubuntu 16.04 LTS | The base system. |
 | A **correct** init process | _Main article: [Docker and the PID 1 zombie reaping problem](http://blog.phusion.nl/2015/01/20/docker-and-the-pid-1-zombie-reaping-problem/)._ <br><br>According to the Unix process model, [the init process](https://en.wikipedia.org/wiki/Init) -- PID 1 -- inherits all [orphaned child processes](https://en.wikipedia.org/wiki/Orphan_process) and must [reap them](https://en.wikipedia.org/wiki/Wait_(system_call)). Most Docker containers do not have an init process that does this correctly, and as a result their containers become filled with [zombie processes](https://en.wikipedia.org/wiki/Zombie_process) over time. <br><br>Furthermore, `docker stop` sends SIGTERM to the init process, which is then supposed to stop all services. Unfortunately most init systems don't do this correctly within Docker since they're built for hardware shutdowns instead. This causes processes to be hard killed with SIGKILL, which doesn't give them a chance to correctly deinitialize things. This can cause file corruption. <br><br>Baseimage-docker comes with an init process `/sbin/my_init` that performs both of these tasks correctly. |
 | Fixes APT incompatibilities with Docker | See https://github.com/dotcloud/docker/issues/1024. |
-| syslog-ng | A syslog daemon is necessary so that many services - including the kernel itself - can correctly log to /var/log/syslog. If no syslog daemon is running, a lot of important messages are silently swallowed. <br><br>Only listens locally. All syslog messages are forwarded to "docker logs". |
+| syslog-ng | A syslog daemon is necessary so that many services - including the kernel itself - can correctly log to /var/log/syslog. If no syslog daemon is running, a lot of important messages are silently swallowed. <br><br>Only listens locally. All syslog messages are forwarded to "docker logs".<br><br>Why syslog-ng?<br>I've had bad experience with rsyslog. I regularly run into bugs with rsyslog, and once in a while it takes my log host down by entering a 100% CPU loop in which it can't do anything. Syslog-ng seems to be much more stable. |
 | logrotate | Rotates and compresses logs on a regular basis. |
 | SSH server | Allows you to easily login to your container to [inspect or administer](#login_ssh) things. <br><br>_SSH is **disabled by default** and is only one of the methods provided by baseimage-docker for this purpose. The other method is through [docker exec](#login_docker_exec). SSH is also provided as an alternative because `docker exec` comes with several caveats._<br><br>Password and challenge-response authentication are disabled by default. Only key authentication is allowed. |
 | cron | The cron daemon must be running for cron jobs to work. |
@@ -167,7 +169,8 @@ In `memcached.sh` (make sure this file is chmod +x):
 In `Dockerfile`:
 
     RUN mkdir /etc/service/memcached
-    ADD memcached.sh /etc/service/memcached/run
+    COPY memcached.sh /etc/service/memcached/run
+    RUN chmod +x /etc/service/memcached/run
 
 Note that the shell script must run the daemon **without letting it daemonize/fork it**. Usually, daemons provide a command line flag or a config file option for that.
 
@@ -181,9 +184,11 @@ The baseimage-docker init system, `/sbin/my_init`, runs the following scripts du
 
 All scripts must exit correctly, e.g. with exit code 0. If any script exits with a non-zero exit code, the booting will fail.
 
+**Important note:** If you are executing the container in interactive mode (i.e. when you run a container with `-it`), rather than daemon mode, you are sending stdout directly to the terminal (`-i` interactive `-t` terminal). If you are not calling `/sbin/my_init` in your run declaration, `/sbin/my_init` will not be executed, therefore your scripts will not be called during container startup.
+
 The following example shows how you can add a startup script. This script simply logs the time of boot to the file /tmp/boottime.txt.
 
-In `logtime.sh` (make sure this file is chmod +x):
+In `logtime.sh`:
 
     #!/bin/sh
     date > /tmp/boottime.txt
@@ -191,7 +196,8 @@ In `logtime.sh` (make sure this file is chmod +x):
 In `Dockerfile`:
 
     RUN mkdir -p /etc/my_init.d
-    ADD logtime.sh /etc/my_init.d/logtime.sh
+    COPY logtime.sh /etc/my_init.d/logtime.sh
+	  RUN chmod +x /etc/my_init.d/logtime.sh
 
 <a name="environment_variables"></a>
 ### Environment variables
@@ -201,6 +207,7 @@ If you use `/sbin/my_init` as the main container command, then any environment v
  * Environment variables on Unix are inherited on a per-process basis. This means that it is generally not possible for a child process to change the environment variables of other processes.
  * Because of the aforementioned point, there is no good central place for defining environment variables for all applications and services. Debian has the `/etc/environment` file but it only works in some situations.
  * Some services change environment variables for child processes. Nginx is one such example: it removes all environment variables unless you explicitly instruct it to retain them through the `env` configuration option. If you host any applications on Nginx (e.g. using the [passenger-docker](https://github.com/phusion/passenger-docker) image, or using Phusion Passenger in your own image) then they will not see the environment variables that were originally passed by Docker.
+ * We ignore HOME, SHELL, USER and a bunch of other environment variables on purpose, because _not_ ignoring them will break multi-user containers. See https://github.com/phusion/baseimage-docker/pull/86 -- A workaround for setting the `HOME` environment variable looks like this: `RUN echo /root > /etc/container_environment/HOME`. See https://github.com/phusion/baseimage-docker/issues/119
 
 `my_init` provides a solution for all these caveats.
 
@@ -281,7 +288,7 @@ If you are sure that your environment variables don't contain sensitive data, th
 <a name="upgrading_os"></a>
 ### Upgrading the operating system inside the container
 
-Baseimage-docker images contain an Ubuntu 14.04 operating system. You may want to update this OS from time to time, for example to pull in the latest security updates. OpenSSL is a notorious example. Vulnerabilities are discovered in OpenSSL on a regular basis, so you should keep OpenSSL up-to-date as much as you can.
+Baseimage-docker images contain an Ubuntu 16.04 operating system. You may want to update this OS from time to time, for example to pull in the latest security updates. OpenSSL is a notorious example. Vulnerabilities are discovered in OpenSSL on a regular basis, so you should keep OpenSSL up-to-date as much as you can.
 
 While we release Baseimage-docker images with the latest OS updates from time to time, you do not have to rely on us. You can update the OS inside Baseimage-docker images yourself, and it is recommend that you do this instead of waiting for us.
 
@@ -405,6 +412,19 @@ Baseimage-docker disables the SSH server by default. Add the following to your D
     # init system will auto-generate one during boot.
     RUN /etc/my_init.d/00_regen_ssh_host_keys.sh
 
+Alternatively, to enable sshd only for a single instance of your container, create a folder with a [startup script](#running_startup_scripts).  The contents of that should be
+
+    ### In myfolder/enable_ssh.sh (make sure this file is chmod +x):
+    #!/bin/sh
+    rm -f /etc/service/sshd/down
+    ssh-keygen -P "" -t dsa -f /etc/ssh/ssh_host_dsa_key
+
+Then, you can start your container with
+
+    docker run -d -v `pwd`/myfolder:/etc/my_init.d my/dockerimage
+
+This will initialize sshd on container boot.  You can then access it with the insecure key as below, or using the methods to add a secure key.  Further, you can publish the port to your machine with -p 22:2222 allowing you to ssh to localhost:2222 instead of looking up the ip address.
+
 <a name="ssh_keys"></a>
 #### About SSH keys
 
@@ -456,7 +476,7 @@ Instructions for logging in the container is the same as in section [Using the i
 Edit your Dockerfile to install an SSH public key:
 
     ## Install an SSH of your choice.
-    ADD your_key.pub /tmp/your_key.pub
+    COPY your_key.pub /tmp/your_key.pub
     RUN cat /tmp/your_key.pub >> /root/.ssh/authorized_keys && rm -f /tmp/your_key.pub
 
 Then rebuild your image. Once you have that, start a container based on that image:
@@ -530,45 +550,19 @@ If you want to call the resulting image something else, pass the NAME variable,
 
 The default baseimage-docker installs `syslog-ng`, `cron` and `sshd` services during the build process.
 
-In case you don't need one or more of these services in your image, you can disable its installation and/or install the substituite service of your preference.
+In case you don't need one or more of these services in your image, you can disable its installation.
 
-You can user the `ENV` directive in your Dockerfile for these three variables :
+As shown in the following example, to prevent `sshd` from being installed into your image, set `1` to the `DISABLE_SSH` variable in the `./image/buildconfig` file.
-
-* `DISABLE_SYSLOG`
-* `DISABLE_SSH`
-* `DISABLE_CRON`
-
-For ex., if you want to disable ssh on your image :
-
-    #...
-    FROM phusion/baseimage:<VERSION>
-
-    # Set correct environment variables.
-    ENV HOME /root
-
-    # Disable SSH
-    ENV DISABLE_SSH 1
-
-    # Use baseimage-docker's init system.
-    CMD ["/sbin/my_init"]
-
-    # ...put your own build instructions here...
-
-    # Clean up APT when done.
-    RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
-
-If you don't want to use the `ENV` directive inside your Dockerfile and avoid creating another image layer, as shown in the following example, to prevent `sshd` from being installed into your image, set `1` to the `DISABLE_SSH` variable in the `./image/buildconfig` file.
 
     ### In ./image/buildconfig
     # ...
     # Default services
     # Set 1 to the service you want to disable
-    export DISABLE_SYSLOG=${DISABLE_SYSLOG:-0}
+    export DISABLE_SYSLOG=0
-    export DISABLE_SSH=${DISABLE_SSH:-1}
+    export DISABLE_SSH=1
-    export DISABLE_CRON=${DISABLE_CRON:-0}
+    export DISABLE_CRON=0
 
-
+Then you can proceed with `make build` command.
-Then you can proceed with `docker build` command.
 
 <a name="conclusion"></a>
 ## Conclusion

README_ZH_cn_.md

@@ -82,7 +82,7 @@ Baseimage-docker让这一切完美。在"内容"部分描述了所有这些修
 
 | 模块        | 为什么包含这些？以及备注 |
 | ---------------- | ------------------- |
-| Ubuntu 14.04 LTS | 基础系统。 |
+| Ubuntu 16.04 LTS | 基础系统。 |
 | 一个**正确**的初始化进程  | *主要文章：[Docker和PID 1 僵尸进程回收问题](http://blog.phusion.nl/2015/01/20/docker-and-the-pid-1-zombie-reaping-problem/)*<br/><br/>根据Unix进程模型，[初始化进程](https://en.wikipedia.org/wiki/Init) -- PID 1 -- 继承了所有[孤立的子进程](https://en.wikipedia.org/wiki/Orphan_process)，并且必须[进行回收](https://en.wikipedia.org/wiki/Wait_(system_call))。大多数Docker容器没有一个初始化进程可以正确的完成此操作，随着时间的推移会导致他们的容器出现了大量的[僵尸进程](https://en.wikipedia.org/wiki/Zombie_process)。<br/><br/>而且，`docker stop`发送SIGTERM信号给初始化进程，照理说此信号应该可以停止所有服务。不幸的是由于它们对硬件进行了关闭操作，导致Docker内的大多数初始化系统没有正确执行。这会导致进程强行被SIGKILL信号关闭，从而丧失了一个正确取消初始化设置的机会。这会导致文件损坏。<br/><br/>Baseimage-docker配有一个名为`/sbin/my_init`的初始化进程来同时正确的完成这些任务。 |
 | 修复了APT与Docker不兼容的问题 | 详情参见：https://github.com/dotcloud/docker/issues/1024 。 |
 | syslog-ng | 对于很多服务－包括kernel自身，都需要一个syslog后台进程，以便可以正确的将log输出到/var/log/syslog中。如果没有运行syslog后台进程，很多重要的信息就会默默的丢失了。<br/><br/>只对本地进行监听。所有syslog信息会被转发给“docker logs”。 |
@@ -116,7 +116,6 @@ Baseimage-docker *鼓励* 通过runit来运行多进程.
 <a name="getting_started"></a>
 ### 入门指南
 
-The image is called `phusion/baseimage`, and is available on the Docker registry.
 镜像名字叫`phusion/baseimage`,在Docker仓库上也是可用的.
 
 下面的这个是一个Dockerfile的模板.
@@ -143,7 +142,7 @@ The image is called `phusion/baseimage`, and is available on the Docker registry
 <a name="adding_additional_daemons"></a>
 ### 增加后台进程
 
-你可以通过runit工具向你的镜像中添加后台进程(例如:你自己的某些应用).你需要编写一个运行你需要的后台进程的脚步就可以了,runit工具会保证它的正常运行,如果进程死掉,runit也会重启它的.
+你可以通过runit工具向你的镜像中添加后台进程(例如:你自己的某些应用).你需要编写一个运行你需要的后台进程的脚本就可以了,runit工具会保证它的正常运行,如果进程死掉,runit也会重启它的.
 
 脚本的名称必须是`run`,必须是可以运行的,它需要放到`/etc/service/<NAME>`.
 
@@ -156,7 +155,7 @@ The image is called `phusion/baseimage`, and is available on the Docker registry
 	
 	### 在Dockerfile中:
     RUN mkdir /etc/service/memcached
-    ADD memcached.sh /etc/service/memcached/run
+    COPY memcached.sh /etc/service/memcached/run
 
 注意脚本必须运行在后台的,**不能让他们进程进行daemonize/fork**.通常,后台进程会提供一个标志位或者配置文件.
 
@@ -178,7 +177,7 @@ baseimage-docker的初始化脚本 `/sbin/my_init`,在启动的时候进程运
 
     ### 在 Dockerfile中:
     RUN mkdir -p /etc/my_init.d
-    ADD logtime.sh /etc/my_init.d/logtime.sh
+    COPY logtime.sh /etc/my_init.d/logtime.sh
 
 
 <a name="environment_variables"></a>
@@ -435,10 +434,10 @@ Baseimage-docker提供了一个灵活的方式运行只要一闪而过的命令,
    * 不想使用`nsenter`,运行的进程和正在的进程会不一样.
    * 不需要docker主机提供root权限.
    * 运行你让用户登录到容器,而不需要登录到docker主机.然而,默认这是不启用的,因为baseimage-docker默认不是开放ssh服务的.
- *　缺点
+ * 缺点
-   * 需要设置ssh key.然而,baseimage-docker会提供一中办法,会让key的生成会很容器.阅读更多信息.
+   * 需要设置ssh key.然而,baseimage-docker会提供一中办法,会让key的生成会很容易.阅读更多信息.
 
-第一件事情,就是你需要确定你在容器中已经安装设置了ssh key. 默认,没有任何安装key的,所有你无法登录.为了方便的原因,我们提供了一个[已经生成的key](https://github.com/phusion/baseimage-docker/blob/master/image/services/sshd/keys/insecure_key) [(PuTTY format)](https://github.com/phusion/baseimage-docker/blob/master/image/services/sshd/keys/insecure_key.ppk),为了让你使用方便.然后,请注意这个key仅仅是为方便.他没有任何安全行,因为它的key是在网络上提供的.**在生产环境,你必须使用你自己的key.**
+第一件事情,就是你需要确定你在容器中已经安装设置了ssh key. 默认是不安装任何key的,所以任何人都无法登录.为了方便的原因,我们提供了一个[已经生成的key](https://github.com/phusion/baseimage-docker/blob/master/image/services/sshd/keys/insecure_key) [(PuTTY format)](https://github.com/phusion/baseimage-docker/blob/master/image/services/sshd/keys/insecure_key.ppk),为了让你使用方便.然后,请注意这个key仅仅是为方便.他没有任何安全性,因为它的key是在网络上提供的.**在生产环境,你必须使用你自己的key.**
 
 
 <a name="using_the_insecure_key_for_one_container_only"></a>
@@ -487,7 +486,7 @@ Baseimage-docker提供了一个灵活的方式运行只要一闪而过的命令,
 编辑你的dockerfile,来安装ssh public key:
 
     ## 安装你自己的public key.
-    ADD your_key.pub /tmp/your_key.pub
+    COPY your_key.pub /tmp/your_key.pub
     RUN cat /tmp/your_key.pub >> /root/.ssh/authorized_keys && rm -f /tmp/your_key.pub
 
 重新创建你的镜像.一旦你创建成功,启动基于这个镜像的容器.

README_zh_tw.md

@@ -82,7 +82,7 @@ Baseimage-docker讓這一切完美。在"內容"部分描述了所有這些修
 
 | 模塊        | 爲什麼包含這些？以及備註 |
 | ---------------- | ------------------- |
-| Ubuntu 14.04 LTS | 基礎系統。 |
+| Ubuntu 16.04 LTS | 基礎系統。 |
 | 一個**正確**的初始化行程  | *主要文章：[Docker和PID 1 殭屍行程回收問題](http://blog.phusion.nl/2015/01/20/docker-and-the-pid-1-zombie-reaping-problem/)*<br/><br/>根據Unix行程模型，[初始化行程](https://en.wikipedia.org/wiki/Init) -- PID 1 -- 繼承了所有[孤立的子行程](https://en.wikipedia.org/wiki/Orphan_process)，並且必須[進行回收](https://en.wikipedia.org/wiki/Wait_(system_call))。大多數Docker容器沒有一個初始化行程可以正確的完成此操作，隨着時間的推移會導致他們的容器出現了大量的[殭屍行程](https://en.wikipedia.org/wiki/Zombie_process)。<br/><br/>而且，`docker stop`發送SIGTERM信號給初始化行程，照理說此信號應該可以停止所有服務。不幸的是由於它們對硬體進行了關閉操作，導致Docker內的大多數初始化系統沒有正確執行。這會導致行程強行被SIGKILL信號關閉，從而喪失了一個正確取消初始化設置的機會。這會導致文件損壞。<br/><br/>Baseimage-docker配有一個名爲`/sbin/my_init`的初始化行程來同時正確的完成這些任務。 |
 | 修復了APT與Docker不兼容的問題 | 詳情參見：https://github.com/dotcloud/docker/issues/1024 。 |
 | syslog-ng | 對於很多服務－包括kernel自身，都需要一個syslog後臺行程，以便可以正確的將log輸出到/var/log/syslog中。如果沒有運行syslog後臺行程，很多重要的信息就會默默的丟失了。<br/><br/>只對本地進行監聽。所有syslog信息會被轉發給“docker logs”。 |
@@ -143,7 +143,7 @@ The image is called `phusion/baseimage`, and is available on the Docker registry
 <a name="adding_additional_daemons"></a>
 ### 增加後臺行程
 
-你可以通過runit工具向你的鏡像中添加後臺行程(例如:你自己的某些應用).你需要編寫一個運行你需要的後臺行程的腳步就可以了,runit工具會保證它的正常運行,如果行程死掉,runit也會重啓它的.
+你可以通過runit工具向你的鏡像中添加後臺行程(例如:你自己的某些應用).你需要編寫一個運行你需要的後臺行程的腳本就可以了,runit工具會保證它的正常運行,如果行程死掉,runit也會重啓它的.
 
 腳本的名稱必須是`run`,必須是可以運行的,它需要放到`/etc/service/<NAME>`.
 
@@ -156,7 +156,7 @@ The image is called `phusion/baseimage`, and is available on the Docker registry
 	
 	### 在Dockerfile中:
     RUN mkdir /etc/service/memcached
-    ADD memcached.sh /etc/service/memcached/run
+    COPY memcached.sh /etc/service/memcached/run
 
 注意腳本必須運行在後臺的,**不能讓他們行程進行daemonize/fork**.通常,後臺行程會提供一個標誌位或者配置文件.
 
@@ -178,7 +178,7 @@ baseimage-docker的初始化腳本 `/sbin/my_init`,在啓動的時候行程運
 
     ### 在 Dockerfile中:
     RUN mkdir -p /etc/my_init.d
-    ADD logtime.sh /etc/my_init.d/logtime.sh
+    COPY logtime.sh /etc/my_init.d/logtime.sh
 
 
 <a name="environment_variables"></a>
@@ -435,10 +435,10 @@ Baseimage-docker提供了一個靈活的方式運行只要一閃而過的命令,
    * 不想使用`nsenter`,運行的行程和正在的行程會不一樣.
    * 不需要docker主機提供root權限.
    * 運行你讓用戶登錄到容器,而不需要登錄到docker主機.然而,默認這是不啓用的,因爲baseimage-docker默認不是開放ssh服務的.
- *　缺點
+ * 缺點
-   * 需要設置ssh key.然而,baseimage-docker會提供一中辦法,會讓key的生成會很容器.閱讀更多信息.
+   * 需要設置ssh key.然而,baseimage-docker會提供一中辦法,會讓key的生成會很容易.閱讀更多信息.
 
-第一件事情,就是你需要確定你在容器中已經安裝設置了ssh key. 默認,沒有任何安裝key的,所有你無法登錄.爲了方便的原因,我們提供了一個[已經生成的key](https://github.com/phusion/baseimage-docker/blob/master/image/services/sshd/keys/insecure_key) [(PuTTY format)](https://github.com/phusion/baseimage-docker/blob/master/image/services/sshd/keys/insecure_key.ppk),爲了讓你使用方便.然後,請注意這個key僅僅是爲方便.他沒有任何安全行,因爲它的key是在網絡上提供的.**在生產環境,你必須使用你自己的key.**
+第一件事情,就是你需要確定你在容器中已經安裝設置了ssh key. 默認是不安裝任何key的,所以任何人都無法登錄.爲了方便的原因,我們提供了一個[已經生成的key](https://github.com/phusion/baseimage-docker/blob/master/image/services/sshd/keys/insecure_key) [(PuTTY format)](https://github.com/phusion/baseimage-docker/blob/master/image/services/sshd/keys/insecure_key.ppk),爲了讓你使用方便.然後,請注意這個key僅僅是爲方便.他沒有任何安全性,因爲它的key是在網絡上提供的.**在生產環境,你必須使用你自己的key.**
 
 
 <a name="using_the_insecure_key_for_one_container_only"></a>
@@ -487,7 +487,7 @@ Baseimage-docker提供了一個靈活的方式運行只要一閃而過的命令,
 編輯你的dockerfile,來安裝ssh public key:
 
     ## 安裝你自己的public key.
-    ADD your_key.pub /tmp/your_key.pub
+    COPY your_key.pub /tmp/your_key.pub
     RUN cat /tmp/your_key.pub >> /root/.ssh/authorized_keys && rm -f /tmp/your_key.pub
 
 重新創建你的鏡像.一旦你創建成功,啓動基於這個鏡像的容器.

image/Dockerfile

@@ -1,11 +1,16 @@
-FROM ubuntu:14.04
+FROM armhf/ubuntu
 MAINTAINER Phusion <info@phusion.nl>
 
-ADD . /bd_build
+COPY . /bd_build
 
 RUN /bd_build/prepare.sh && \
 	/bd_build/system_services.sh && \
 	/bd_build/utilities.sh && \
+	/bd_build/fix_pam_bug.sh && \
 	/bd_build/cleanup.sh
 
+ENV LANG en_US.UTF-8
+ENV LANGUAGE en_US:en
+ENV LC_ALL en_US.UTF-8
+
 CMD ["/sbin/my_init"]

image/bin/my_init

@@ -1,8 +1,8 @@
 #!/usr/bin/python3 -u
 import os, os.path, sys, stat, signal, errno, argparse, time, json, re
 
-KILL_PROCESS_TIMEOUT = 5
+KILL_PROCESS_TIMEOUT = os.environ.get('KILL_PROCESS_TIMEOUT', 5)
-KILL_ALL_PROCESSES_TIMEOUT = 5
+KILL_ALL_PROCESSES_TIMEOUT = os.environ.get('KILL_ALL_PROCESSES_TIMEOUT', 5)
 
 LOG_LEVEL_ERROR = 1
 LOG_LEVEL_WARN  = 1
@@ -244,8 +244,9 @@ def wait_for_runit_or_interrupt(pid):
 	except KeyboardInterrupt:
 		return (False, None)
 
-def shutdown_runit_services():
+def shutdown_runit_services(quiet = False):
-	debug("Begin shutting down runit services...")
+	if not quiet:
+		debug("Begin shutting down runit services...")
 	os.system("/usr/bin/sv down /etc/service/*")
 
 def wait_for_runit_services():
@@ -255,6 +256,12 @@ def wait_for_runit_services():
 		done = os.system("/usr/bin/sv status /etc/service/* | grep -q '^run:'") != 0
 		if not done:
 			time.sleep(0.1)
+			# According to https://github.com/phusion/baseimage-docker/issues/315
+			# there is a bug or race condition in Runit, causing it
+			# not to shutdown services that are already being started.
+			# So during shutdown we repeatedly instruct Runit to shutdown
+			# services.
+			shutdown_runit_services(True)
 
 def install_insecure_key():
 	info("Installing insecure SSH key for user root")
@@ -269,7 +276,7 @@ def main(args):
 
 	if not args.skip_startup_files:
 		run_startup_files()
-	
+
 	runit_exited = False
 	exit_code = None
 

image/bin/setuser

@@ -1,26 +1,64 @@
 #!/usr/bin/python3
-import sys, os, pwd
+'''
+Copyright (c) 2013-2015 Phusion Holding B.V.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+'''
+
+import sys
+import os
+import pwd
 
-if len(sys.argv) < 3:
-	sys.stderr.write("Usage: /sbin/setuser USERNAME COMMAND [args..]\n")
-	sys.exit(1)
 
 def abort(message):
-	sys.stderr.write("setuser: %s\n" % message)
+    sys.stderr.write("setuser: %s\n" % message)
-	sys.exit(1)
+    sys.exit(1)
+
+
+def main():
+    '''
+    A simple alternative to sudo that executes a command as a user by setting
+    the user ID and user parameters to those described by the system and then
+    using execvp(3) to execute the command without the necessity of a TTY
+    '''
+
+    username = sys.argv[1]
+    try:
+        user = pwd.getpwnam(username)
+    except KeyError:
+        abort("user %s not found" % username)
+    os.initgroups(username, user.pw_gid)
+    os.setgid(user.pw_gid)
+    os.setuid(user.pw_uid)
+    os.environ['USER'] = username
+    os.environ['HOME'] = user.pw_dir
+    os.environ['UID'] = str(user.pw_uid)
+    try:
+        os.execvp(sys.argv[2], sys.argv[2:])
+    except OSError as e:
+        abort("cannot execute %s: %s" % (sys.argv[2], str(e)))
+
+if __name__ == '__main__':
+
+    if len(sys.argv) < 3:
+        sys.stderr.write("Usage: /sbin/setuser USERNAME COMMAND [args..]\n")
+        sys.exit(1)
+
+    main()
 
-username = sys.argv[1]
-try:
-	user = pwd.getpwnam(username)
-except KeyError:
-	abort("user %s not found" % username)
-os.initgroups(username, user.pw_gid)
-os.setgid(user.pw_gid)
-os.setuid(user.pw_uid)
-os.environ['USER'] = username
-os.environ['HOME'] = user.pw_dir
-os.environ['UID']  = str(user.pw_uid)
-try:
-	os.execvp(sys.argv[2], sys.argv[2:])
-except OSError as e:
-	abort("cannot execute %s: %s" % (sys.argv[2], str(e)))

image/cleanup.sh

@@ -4,9 +4,8 @@ source /bd_build/buildconfig
 set -x
 
 apt-get clean
-rm -rf /bd_build
+ls -d -1 /bd_build/**/* | grep -v "cleanup.sh" | grep -v "buildconfig" | xargs rm -f
 rm -rf /tmp/* /var/tmp/*
 rm -rf /var/lib/apt/lists/*
-rm -f /etc/dpkg/dpkg.cfg.d/02apt-speedup
 
 rm -f /etc/ssh/ssh_host_*

image/fix_pam_bug.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+set -e
+source /bd_build/buildconfig
+set -x
+
+# Fixes https://github.com/docker/docker/issues/6345
+# The Github is closed, but some apps such as pbuilder still triggers it.
+
+export CONFIGURE_OPTS=--disable-audit
+cd /tmp
+
+$minimal_apt_get_install gdebi-core
+apt-get build-dep -y --no-install-recommends pam
+apt-get source -y -b pam
+gdebi -n libpam-doc*.deb libpam-modules*.deb libpam-runtime*.deb libpam0g*.deb
+rm -rf *.deb *.gz *.dsc *.changes pam-*
+
+# Unfortunately there is no way to automatically remove build deps, so we do this manually.
+apt-get remove -y gdebi-core autoconf automake autopoint autotools-dev binutils bsdmainutils \
+	build-essential bzip2 cpp cpp-5 debhelper dh-autoreconf dh-strip-nondeterminism \
+	diffstat docbook-xml docbook-xsl dpkg-dev flex g++ g++-5 gcc gcc-5 gettext gettext-base \
+	groff-base intltool-debian libarchive-zip-perl libasan2 libasprintf0v5 libatomic1 \
+	libaudit-dev libc-dev-bin libc6-dev libcc1-0 libcrack2 libcrack2-dev libcroco3 \
+	libdb-dev libdb5.3-dev libdpkg-perl libfile-stripnondeterminism-perl libfl-dev libgc1c2 \
+	libgcc-5-dev libgdbm3 libgomp1 libgpm2 libicu55 libisl15 libmpc3 \
+	libmpfr4 libpcre16-3 libpcre3-dev libpcre32-3 libpcrecpp0v5 libperl5.22 \
+	libpipeline1 libselinux1-dev libsepol1-dev libsigsegv2 libstdc++-5-dev \
+	libtimedate-perl libtool libubsan0 libunistring0 libxml2 libxml2-utils \
+	libxslt1.1 linux-libc-dev m4 make man-db patch perl perl-modules-5.22 pkg-config \
+	po-debconf quilt sgml-base sgml-data w3m xml-core xsltproc xz-utils
+
+apt-get remove -y gdebi-core
+apt-get autoremove -y

image/prepare.sh

@@ -3,11 +3,6 @@ set -e
 source /bd_build/buildconfig
 set -x
 
-## Temporarily disable dpkg fsync to make building faster.
-if [[ ! -e /etc/dpkg/dpkg.cfg.d/docker-apt-speedup ]]; then
-	echo force-unsafe-io > /etc/dpkg/dpkg.cfg.d/docker-apt-speedup
-fi
-
 ## Prevent initramfs updates from trying to run grub and lilo.
 ## https://journal.paul.querna.org/articles/2013/10/15/docker-ubuntu-on-rackspace/
 ## http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=594189

image/services/cron/cron.sh

@@ -7,6 +7,8 @@ $minimal_apt_get_install cron
 mkdir /etc/service/cron
 chmod 600 /etc/crontab
 cp /bd_build/services/cron/cron.runit /etc/service/cron/run
+# Fix cron issues in 0.9.19, see also #345: https://github.com/phusion/baseimage-docker/issues/345
+sed -i 's/^\s*session\s\+required\s\+pam_loginuid.so/# &/' /etc/pam.d/cron
 
 ## Remove useless cron entries.
 # Checks for lost+found and scans for mtab.

image/services/syslog-ng/logrotate.conf

@@ -0,0 +1,36 @@
+# see "man logrotate" for details
+# rotate log files weekly
+weekly
+
+# use the syslog group by default, since this is the owning group
+# of /var/log/syslog.
+# su root syslog
+
+# keep 4 weeks worth of backlogs
+rotate 4
+
+# create new (empty) log files after rotating old ones
+create
+
+# uncomment this if you want your log files compressed
+#compress
+
+# packages drop log rotation information into this directory
+include /etc/logrotate.d
+
+# no packages own wtmp, or btmp -- we'll rotate them here
+/var/log/wtmp {
+    missingok
+    monthly
+    create 0664 root utmp
+    rotate 1
+}
+
+/var/log/btmp {
+    missingok
+    monthly
+    create 0660 root utmp
+    rotate 1
+}
+
+# system-specific logs may be configured here

image/services/syslog-ng/logrotate_syslogng

@@ -8,6 +8,7 @@
 	compress
 	postrotate
 		sv reload syslog-ng > /dev/null
+		sv restart syslog-forwarder > /dev/null
 	endscript
 }
 
@@ -33,6 +34,6 @@
 	sharedscripts
 	postrotate
 		sv reload syslog-ng > /dev/null
-		sv restart cron-log-forwarder > /dev/null
+		sv restart syslog-forwarder > /dev/null
 	endscript
 }

image/services/syslog-ng/syslog-ng.sh

@@ -21,4 +21,5 @@ cp $SYSLOG_NG_BUILD_PATH/syslog-forwarder.runit /etc/service/syslog-forwarder/ru
 
 ## Install logrotate.
 $minimal_apt_get_install logrotate
+cp $SYSLOG_NG_BUILD_PATH/logrotate.conf /etc/logrotate.conf
 cp $SYSLOG_NG_BUILD_PATH/logrotate_syslogng /etc/logrotate.d/syslog-ng

image/system_services.sh

@@ -20,10 +20,10 @@ ln -s /etc/container_environment.sh /etc/profile.d/
 $minimal_apt_get_install runit
 
 ## Install a syslog daemon and logrotate.
-[ "$DISABLE_SYSLOG" -eq 0 ] && /bd_build/services/syslog-ng/syslog-ng.sh
+[ "$DISABLE_SYSLOG" -eq 0 ] && /bd_build/services/syslog-ng/syslog-ng.sh || true
 
 ## Install the SSH server.
-[ "$DISABLE_SSH" -eq 0 ] && /bd_build/services/sshd/sshd.sh
+[ "$DISABLE_SSH" -eq 0 ] && /bd_build/services/sshd/sshd.sh || true
 
 ## Install cron daemon.
-[ "$DISABLE_CRON" -eq 0 ] && /bd_build/services/cron/cron.sh
+[ "$DISABLE_CRON" -eq 0 ] && /bd_build/services/cron/cron.sh || true

test/runner.sh

@@ -21,7 +21,7 @@ ID=`docker run -d -v $PWD/test:/test $NAME:$VERSION /sbin/my_init --enable-insec
 sleep 1
 
 echo " --> Obtaining IP"
-IP=`docker inspect $ID | grep IPAddress | sed -e 's/.*: "//; s/".*//'`
+IP=`docker inspect -f "{{ .NetworkSettings.IPAddress }}" "$ID"`
 if [[ "$IP" = "" ]]; then
 	abort "Unable to obtain container IP"
 fi